Working Drafts

→ Abstract

Event-driven programming is based on a natural abstraction: an event is a computation that
can eventually return a value. This paper exploits the intuition relating events and time by
drawing a Curry-Howard correspondence between a functional event-driven programming language
and a linear-time temporal logic. In this logic, the eventually proposition ◇A describes
the type of events, and Girard’s linear logic describes the effectful and concurrent nature of
the programs. The correspondence reveals many interesting insights into the nature of event-
driven programming, including a generalization of selective choice for synchronizing events, and
an implementation in terms of callbacks where ◇A is just ¬□¬A.

→ Abstract

Bidirectional typechecking, in which terms either
synthesize a type or are checked against a known type,
has become popular for its scalability, its error
reporting, and its ease of implementation. Following
principles from proof theory, bidirectional typing can
be applied to many type constructs.
The principles underlying a bidirectional approach to
indexed types (generalized algebraic
datatypes) are less clear. Building on
proof-theoretic treatments of equality, we give a
declarative specification of typing based
on focalization. This approach permits
declarative rules for coverage of pattern matching, as
well as support for first-class existential types
using a focalized subtyping judgment.
We use refinement types to avoid explicitly passing
equality proofs in our term syntax, making our
calculus close to languages such as Haskell and
OCaml. An explicit rule deduces when a type is
principal, leading to reliable substitution principles
for a rich type system with significant type
inference.

We also give a set of algorithmic typing rules, and
prove that it is sound and complete with respect to
the declarative system. The proof requires a number
of technical innovations, including proving
soundness and completeness in a mutually-recursive
fashion.

Conference Papers and Journal Articles

→ Abstract→ BibTeX

Datalog may be considered either an unusually powerful query language or a
carefully limited logic programming language. It has been applied successfully
in a wide variety of problem domains thanks to its "sweet spot" combination
of expressivity, optimizability, and declarativeness. However, most use-cases
require extending Datalog in an application-specific manner. In this paper we
define Datafun, an analogue of Datalog supporting higher-order functional
programming. The key idea is to track monotonicity via types.

→ Abstract→ BibTeX

Effective support for custom proof automation is
essential for large-scale interactive proof development.
However, existing languages for automation via tactics
either (a) provide no way to specify the behavior of
tactics within the base logic of the accompanying
theorem prover, or (b) rely on advanced type-theoretic
machinery that is not easily integrated into established
theorem provers.

We present Mtac, a lightweight but powerful extension to Coq that
supports dependently-typed tactic programming. Mtac tactics have
access to all the features of ordinary Coq programming, as well as a
new set of typed tactical primitives. We avoid the need to touch the
trusted kernel typechecker of Coq by encapsulating uses of these new
tactical primitives in a monad, and instrumenting Coq so that it
executes monadic tactics during type inference.

→ Abstract→ BibTeX

In this paper, we show how to integrate linear types with
type dependency, by extending the linear/non-linear
calculus of Benton to support type dependency.

Next, we give an application of this calculus by giving a
proof-theoretic account of imperative programming, which requires
extending the calculus with computationally irrelevant
quantification, proof irrelevance, and a monad of computations. We
show the soundness of our theory by giving a realizability model in
the style of Nuprl, which permits us to validate not only the
β-laws for each type, but also the η-laws.

These extensions permit us to decompose Hoare triples into
a collection of simpler type-theoretic connectives,
yielding a rich equational theory for dependently-typed
higher-order imperative programs. Furthermore, both the
type theory and its model are relatively simple, even when
all of the extensions are considered.

→ Abstract→ BibTeX

Deterministic-by-construction parallel programming
models offer programmers the promise of freedom from
subtle, hard-to-reproduce nondeterministic bugs in
parallel code. A principled approach to
deterministic-by-construction parallel programming with
shared state is offered by LVars: shared memory
locations whose semantics are defined in terms of a
user-specified lattice. Writes to an LVar take the
least upper bound of the old and new values with respect
to the lattice, while reads from an LVar can observe
only that its contents have crossed a specified
threshold in the lattice. Although it guarantees
determinism, this interface is quite limited.

We extend LVars in two ways. First, we add the
ability to "freeze" and then read the contents of an
LVar directly. Second, we add the ability to attach
callback functions to an LVar, allowing events to be
triggered by writes to it. Together, callbacks and
freezing enable an expressive and useful style of
parallel programming. We prove that in a language where
communication takes place through freezable LVars,
programs are at worst quasi-deterministic: on every run,
they either produce the same answer or raise an error.
We demonstrate the viability of our approach by
implementing a library for Haskell supporting a variety
of LVar-based data structures, together with two case
studies that illustrate the programming model and yield
promising parallel speedup.

→ Abstract→ BibTeX

Bidirectional typechecking, in which terms either
synthesize a type or are checked against a known type,
has become popular for its scalability (unlike
Damas-Milner type inference, bidirectional typing
remains decidable even for very expressive type
systems), its error reporting, and its relative ease of
implementation. Following design principles from proof
theory, bidirectional typing can be applied to many type
constructs. The principles underlying a bidirectional
approach to polymorphism, however, are less obvious. We
give a declarative, bidirectional account of higher-rank
polymorphism, grounded in proof theory; this calculus
enjoys many properties such as η-reduction and
predictability of annotations. We give an algorithm for
implementing the declarative system; our algorithm is
remarkably simple and well-behaved, despite being both
sound and complete.

→ Abstract→ BibTeX

Functional reactive programming (FRP) is an elegant
approach to declaratively specify reactive
systems. However, the powerful abstractions of FRP have
historically made it difficult to predict and control
the resource usage of programs written in this
style.

In this paper, we give a new language for higher-order
reactive programming. This language generalizes and
simplifies prior type systems for reactive programming,
supporting the use of first-class streams, such as
streams of streams; first-class functions and
higher-order operations; and permits encoding many
temporal operations beyond streams, such as terminatable
streams, events, and even resumptions with first-class
schedulers. Furthermore, our language supports an
efficient implementation strategy permitting us to
eagerly deallocate old values and statically rule out
spacetime leaks, a notorious source of
inefficiency in reactive programs. Furthermore, these
memory guarantees are achieved without the use
of a complex substructural type discipline.

We also show that our implementation strategy of eager
deallocation is safe, by showing the soundness of our
type system with a novel step-indexed Kripke logical
relation.

→ Abstract→ BibTeX

Effective support for custom proof automation is
essential for large-scale interactive proof development.
However, existing languages for automation via
tactics either (a) provide no way to specify the
behavior of tactics statically within the logic of the
theorem prover or (b) rely on advanced type-theoretic
machinery that is not easily integrated into established
theorem provers.

We present Mtac, a lightweight but powerful
extension to Coq for supporting dependently-typed tactic
programming. Mtac tactics have access to all the
features of ordinary Coq programming, as well as a new
set of typed tactical primitives. We avoid the need to
touch the trusted kernel typechecker of Coq by
encapsulating uses of the new tactical primitives in a
monad, and instrumenting Coq so that it
executes monadic tactics during type inference.

→ Abstract→ BibTeX

We give the first relationally parametric model of the
extensional calculus of constructions. Our model remains
as simple as traditional PER models of types, but unlike
them, it additionally permits the relating of terms that
implement abstract types in different ways. Using our
model, we can validate the soundness of quotient types, as
well as derive strong equality axioms for Church-encoded
data, such as the usual induction principles for Church
naturals and booleans, and the eta law for strong
dependent pair types. Furthermore, we show that such
equivalences, justified by relationally parametric
reasoning, may soundly be internalized (i.e. added as
equality axioms to our type theory). Thus, we demonstrate
that it is possible to interpret equality in a
dependently-typed setting using parametricity. The key
idea behind our approach is to interpret types as
so-called quasi-PERs (or zigzag-complete
relations), which enable us to model the symmetry and
transitivity of equality while at the same time allowing
for different representations of abstract types.

→ Abstract→ BibTeX

Many substructural type systems have been proposed for
controlling access to shared state in higher-order
languages. Central to these systems is the notion of a
resource, which may be split into disjoint
pieces that different parts of a program can manipulate
independently without worrying about interfering with
one another. Some systems support a logical
notion of resource (such as permissions), under which
two resources may be considered disjoint even if they
govern the same piece of state. However, in
nearly all existing systems, the notions of resource and
disjointness are fixed at the outset, baked into the
model of the language, and fairly coarse-grained in the
kinds of sharing they enable.

In this paper, inspired by recent work on "fictional
disjointness" in separation logic, we propose a simple
and flexible way of enabling any module in a program to
create its own custom type of splittable resource
(represented as a commutative monoid), thus providing
fine-grained control over how the module's private state
is shared with its clients. This functionality can be
incorporated into an otherwise standard substructural
type system by means of a new typing rule we call
the sharing rule, whose soundness we prove
semantically via a novel resource-oriented Kripke
logical relation.

→ Abstract→ BibTeX

We present an extension of System F with types for
term-level equations. This internalization of the rich
equational theory of the polymorphic lambda calculus
yields an expressive core language, suitable for
formalizing features such as Haskell's rewriting rules
mechanism or Extended ML signatures.

→ Abstract→ BibTeX

Functional reactive programming (FRP) is an elegant and
successful approach to programming reactive systems
declaratively. The high levels of abstraction and
expressivity that make FRP attractive as a programming
model do, however, often lead to programs whose resource
usage is excessive and hard to predict.

In this paper, we address the problem of space leaks in
discrete-time functional reactive programs. We present a
functional reactive programming language that statically
bounds the size of the dataflow graph a reactive program
creates, while still permitting use of higher-order
functions and higher-type streams such as streams of
streams. We achieve this with a novel linear type theory
that both controls allocation and ensures that all
recursive definitions are well-founded.

We also give a denotational semantics for our language
by combining recent work on metric spaces for the
interpretation of higher-order causal functions with
length-space models of space-bounded computation. The
resulting category is doubly closed and hence forms a
model of the logic of bunched implications.

→ Abstract→ BibTeX

We give a denotational model for graphical user
interface (GUI) programming using the Cartesian closed
category of ultrametric spaces. The ultrametric
structure enforces causality restrictions on reactive
systems and allows well-founded recursive definitions by
a generalization of guardedness. We capture the
arbitrariness of user input (e.g., a user gets to
\emph{decide} the stream of clicks she sends to a
program) by making use of the fact that the closed
subsets of an ultrametric space themselves form an
ultrametric space, allowing us to interpret
nondeterminism with a ``powerspace'' monad.

Algebras for the powerspace monad yield a model of
intuitionistic linear logic, which we exploit in the
definition of a mixed linear/non-linear domain-specific
language for writing GUI programs. The non-linear part
of the language is used for writing reactive
stream-processing functions whilst the linear
sublanguage naturally captures the generativity and
usage constraints on the various linear objects in GUIs,
such as the elements of a DOM or scene graph.

We have implemented this DSL as an extension to OCaml,
and give examples demonstrating that programs in this
style can be short and readable.

→ Abstract→ BibTeX

We describe a denotational model of higher-order
functional reactive programming using ultrametric spaces
and nonexpansive maps, which provide a natural Cartesian
closed generalization of causal stream functions and
guarded recursive definitions. We define a type theory
corresponding to this semantics and show that it
satisfies normalization. Finally, we show how to
efficiently implement reactive programs written in this
language using an imperatively updated dataflow graph,
and give a separation logic proof that this low-level
implementation is correct with respect to the high-level
semantics.

→ Abstract→ BibTeX

In this paper, we show how pattern matching can be seen
to arise from a proof term assignment for the focused
sequent calculus. This use of the Curry-Howard
correspondence allows us to give a novel coverage
checking algorithm, and makes it possible to give a
rigorous correctness proof for the classical pattern
compilation strategy of building decision trees via
matrices of patterns.

→ Abstract→ BibTeX

Today's module systems do not effectively support
information hiding in the presence of shared mutable
objects, causing serious problems in the development and
evolution of large software systems. Ownership types
have been proposed as a solution to this problem, but
current systems have ad-hoc access restrictions and are
limited to Java-like languages. In this paper, we
describe System Fown, an extension of System F with
references and ownership. Our design shows both how
ownership fits into standard type theory and the
encapsulation benefits it can provide in languages with
firstclass functions, abstract data types, and
parametric polymorphism. By looking at ownership in the
setting of System F, we were able to develop a design
that is more principled and flexible than previous
ownership type systems, while also providing stronger
encapsulation guarantees.

→ Abstract→ BibTeX

The inverse method, due to Maslov, is a forward theorem
proving method for cut-free sequent calculi that relies
on the subformula property. The Logic of Bunched
Implications (BI), due to Pym and O'Hearn, is a logic
which freely combines the familiar connectives of
intuitionistic logic with multiplicative linear
conjunction and its adjoint implication. We present the
first formulation of an inverse method for propositional
BI without units. We adapt the sequent calculus for BI
into a forward calculus. The soundness and completeness
of the calculus are proved, and a canonical form for
bunches is given.

Published Workshop Papers

→ Abstract→ BibTeX

Interactive programs, such as GUIs or spreadsheets,
often maintain dependency information over
dynamically-created networks of objects. That is, each
imperative object tracks not only the objects its own
invariant depends on, but also all of the objects which
depend upon it, in order to notify them when it changes.

These bidirectional linkages pose a serious challenge
to verification, because their correctness relies upon a
global invariant over the object graph.

We show how to modularly verify programs
written using dynamically-generated bidirectional
dependency information. The critical idea is to
distinguish between the footprint of a command, and the
state whose invariants depends upon the footprint. To do
so, we define an application-specific semantics of
updates, and introduce the concept of a ramification
operator to explain how local changes can alter our
knowledge of the rest of the heap. We illustrate the
applicability of this style of proof with a case study
from functional reactive programming, and formally
justify reasoning about an extremely imperative
implementation as if it were pure.

→ Abstract→ BibTeX

Object-oriented programs are notable for making use of
both higher-order abstractions and mutable, aliased
state. Either feature alone is challenging for formal
verification, and the combination yields very flexible
program designs and correspondingly difficult
verification problems. In this paper, we show how to
formally specify and verify programs that use several
common design patterns in concert.

A Modal Sequent Calculus for Propositional Separation Logic, Neelakantan R. Krishnaswami. Unpublished draft, presented at IMLA 2008 workshop (Intuitionistic Modal Logic and Applications). Note: the sequent calculus in this paper, while satisfying cut-elimination, is NOT sound with respect to the Kripke semantics of separation logic! The proof in the draft is incorrect.